{ "threat_severity" : "Moderate", "public_date" : "2026-01-12T22:55:40Z", "bugzilla" : { "description" : "libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read", "id" : "2428825", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2428825" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "A flaw was found in libpng, a reference library for processing PNG (Portable Network Graphics) image files. A local attacker could exploit a heap buffer over-read vulnerability in the `png_image_finish_read` function by tricking a user into processing a specially crafted interlaced 16-bit PNG file with an 8-bit output format and non-minimal row stride. This could lead to a denial of service (DoS) and potentially information disclosure." ], "statement" : "This vulnerability is rated Moderate for Red Hat products. A heap buffer over-read flaw exists in the libpng library when processing specially crafted interlaced 16-bit PNG images with 8-bit output format and non-minimal row stride. This issue requires user interaction, as an attacker would need to trick a user into opening a malicious PNG file.", "affected_release" : [ { "product_name" : "OPENJDK ELS 11.0.31", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9255", "cpe" : "cpe:/a:redhat:openjdk_els:11", "package" : "java-11-openjdk-portable" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-03-02T00:00:00Z", "advisory" : "RHSA-2026:3551", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "libpng-2:1.6.40-8.el10_1.2" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3577", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "libpng-2:1.6.40-8.el10_0.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4306", "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb", "package" : "mingw-libpng-0:1.6.34-2.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4728", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "libpng-2:1.6.34-10.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4732", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "libpng-2:1.6.34-8.el8_2.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4731", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "libpng-2:1.6.34-8.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4731", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "libpng-2:1.6.34-8.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4730", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "libpng-2:1.6.34-8.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4730", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "libpng-2:1.6.34-8.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4730", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "libpng-2:1.6.34-8.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4729", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "libpng-2:1.6.34-8.el8_8.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4729", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "libpng-2:1.6.34-8.el8_8.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-26T00:00:00Z", "advisory" : "RHSA-2026:3405", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "libpng-2:1.6.37-12.el9_7.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-26T00:00:00Z", "advisory" : "RHSA-2026:3405", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "libpng-2:1.6.37-12.el9_7.2" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-03-02T00:00:00Z", "advisory" : "RHSA-2026:3573", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "libpng-2:1.6.37-12.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3575", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "libpng-2:1.6.37-12.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3574", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "libpng-2:1.6.37-12.el9_4.2" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3576", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "libpng-2:1.6.37-12.el9_6.2" }, { "product_name" : "Red Hat OpenJDK 11 els for RHEL 7", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9254", "cpe" : "cpe:/a:redhat:openjdk_els:11::el7", "package" : "java-11-openjdk-1:11.0.31.0.11-1.el7_9" }, { "product_name" : "Red Hat OpenJDK 11 els for RHEL 8", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9254", "cpe" : "cpe:/a:redhat:openjdk_els:11::el8", "package" : "java-11-openjdk-1:11.0.31.0.11-1.el8" }, { "product_name" : "Red Hat OpenJDK 11 els for RHEL 9", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9254", "cpe" : "cpe:/a:redhat:openjdk_els:11::el9", "package" : "java-11-openjdk-1:11.0.31.0.11-1.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2026-05-08T00:00:00Z", "advisory" : "RHSA-2026:12274", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "rhcos-412.86.202604281506-0" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16174", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-spyre-rhel9:1778244546" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8746", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-cuda-rhel9:1775680192" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8747", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-rocm-rhel9:1775680262" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8748", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/model-opt-cuda-rhel9:1775749857" }, { "product_name" : "Red Hat Ceph Storage 8", "release_date" : "2026-03-24T00:00:00Z", "advisory" : "RHSA-2026:5606", "cpe" : "cpe:/a:redhat:ceph_storage:8::el9", "package" : "rhceph/rhceph-8-rhel9:1774002867" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-03-12T00:00:00Z", "advisory" : "RHSA-2026:4501", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-ui-rhel9:1773273070" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-07T00:00:00Z", "advisory" : "RHSA-2026:6732", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "libpng-main-1.6.56-1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat build of OpenJDK 11 ELS", "fix_state" : "Not affected", "package_name" : "java-21-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk_els:11" }, { "product_name" : "Red Hat build of OpenJDK 17", "fix_state" : "Affected", "package_name" : "java-17-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:17" }, { "product_name" : "Red Hat build of OpenJDK 17", "fix_state" : "Not affected", "package_name" : "java-21-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:17" }, { "product_name" : "Red Hat build of OpenJDK 1.8", "fix_state" : "Affected", "package_name" : "java-1.8.0-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:1.8" }, { "product_name" : "Red Hat build of OpenJDK 21", "fix_state" : "Affected", "package_name" : "java-21-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:21" }, { "product_name" : "Red Hat build of OpenJDK 21", "fix_state" : "Not affected", "package_name" : "java-21-openjdk-portable-rhel7", "cpe" : "cpe:/a:redhat:openjdk:21" }, { "product_name" : "Red Hat build of OpenJDK 25", "fix_state" : "Not affected", "package_name" : "java-21-openjdk-vanilla", "cpe" : "cpe:/a:redhat:openjdk:25" }, { "product_name" : "Red Hat build of OpenJDK 25", "fix_state" : "Affected", "package_name" : "java-25-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:25" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "java-25-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "libpng12", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "java-17-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "java-1.8.0-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "libpng12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "libpng15", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "java-17-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "java-1.8.0-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "java-25-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "libpng15", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22695\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22695\nhttps://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea\nhttps://github.com/pnggroup/libpng/commit/e4f7ad4ea2\nhttps://github.com/pnggroup/libpng/issues/778\nhttps://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp" ], "name" : "CVE-2026-22695", "mitigation" : { "value" : "To mitigate this issue, users should avoid opening untrusted PNG image files. Applications that process PNG images should be configured to restrict processing of untrusted or unverified content where possible.", "lang" : "en:us" }, "csaw" : false }